• Jinwei Hu，Yan Zhang，Ruixuan Li，Zhengding Lu

In distributed environments, statements from a number of princi-pals, besides the central trusted party, may in?uence the derivationsof authorization decisions. However, existing authorization logicsput few emphasis on this set of principals - authorization prove-nance. Reasoning about provenance enables to (1) defend againsta class of attacks, (2) understand and analyze authorizations andthe status of policy bases, and (3) obtain potentially ef?cient log-ging and auditing guided by provenance information. This paperpresents the design and applications of a provenance-enabled au-thorization logic, called DBT. More speci?cally, we give a soundand complete axiomatic system of DBT.We also examine a class ofprovenance-aware policy bases and queries. One can syntacticallyextract provenance information from the structure of these queriesif they are evaluated positively in provenance-aware policy bases.Finally, two case studies are presented to demonstrate possible ap-plications of DBT.

• Authorization Provenance；Authorization Logic